Meet Your Colleagues: Governance, Risk & Compliance
In the board game, risk means defending one-dimensional territories against imaginary armies. In the world of IT, unmanaged risk has real-world consequences. Sloppy data handling often precedes a security breach.
Getting a comprehensive picture of risks associated with IT products and systems in use at the University is one element of Governance, Risk & Compliance (GRC) in the Information Security Office (ISO). Let's take a closer look at all aspects of GRC.
Despite the prominence of governance in the department name, GRC's bread and butter is risk management and compliance. IT governance-related tasks include enforcing the U's Information Security Policy 4-004, managing exceptions to policy processes, and reporting up to IT governance committees.
"One of the goals of our team is creating a way to assess technology risk here and then communicating that risk to leadership so that they can make decisions," said GRC Associate Director Greg Nance.
In life and work, we can't completely eliminate risk, but we can mitigate it.
In his May 16 UIT Talks event, Nance likened the mitigation concept to the experience of a pedestrian. Take, for example, UIT commuters walking to 102 Tower. Pedestrians can't control driver behavior, but can be reasonably reassured that measures are in place to mitigate risk – traffic lights, walk signals that "chirp" for the hard of hearing, concrete barricades, even painted crosswalk reminders to "LOOK" before they walk (or leap).
In GRC parlance, "mitigation" is interchangeable with "controls." In a work setting, controls apply to everything from firewalls that prevent nefarious actors from obtaining personal information, to employees safeguarding University-owned IT resources, and properly storing and transmitting sensitive data.
Risk Analyst Rudy Matthes oversees inherent risk process, with "the audacious goal of doing an inherent risk assessment on every single information system and application." By every single, he means campus, hospital, high-performance computing, standup systems for researchers, systems used by third party vendors working at the U, everything. And the greater the number of people with access to data, the greater the risk.
"If something is internet-facing, that changes the risk exposure quite a bit," Nance said.
Their focus is data, not devices. GRC Analyst Lana Xaochay, who develops related policies, procedures, and training, explains the team's technology-agnostic approach this way.
"When people think of the Information Security Office and IT, they link the two together and they think we handle devices, and that’s not true," she said. "We’re looking at all data that the University owns, anything used to conduct business for the University. That can be research, clinical, campus, there isn't anything outside of our purview if it’s an information asset utilized in any way."
Pin-pointing data type begins with assigning each system or application with a risk score (high, medium, or low) and data classification – restricted (e.g., Protected Health Information), sensitive (e.g., intellectual property), or public (e.g., directory contact information). This framework helps Matthes identify risks and determine if basic controls are being followed.
He then hands off to Risk Analyst Casey Wilson, who conducts in-depth risk and residual risk assessments.
“I take a deeper dive, look at a bunch of controls, and assess whether whatever system we’re looking at is abiding by those controls,” Casey said. “I quantify the residual risk, and combined with Rudy’s analysis, that’s what we report up to executives.”
Casey is also leading a new vendor security risk management initiative, slated to start by the end of 2017, which will identify the U's critical vendors and help ensure they're meeting the same risk requirements as internal IT systems, starting with 150 vendors the first year.
The regulatory environment in which the University of Utah operates in is broad and growing.
Compliance simply means meeting all of the regulatory requirements set forth by various state and federal agencies, like the Health Insurance Portability and Accountability Act (HIPAA) and Personally Identifiable Information (PII) state privacy laws (more examples at right).
GRC makes sure that system owners and leadership at the organization and University levels are informed about requirements, and prepared to demonstrate to regulators how they're meeting the requirements.
Compliance also encompasses training. Xaochay has been developing a formal security awareness program. An interactive training module about HIPAA is being rolled out to hospital employees in December 2017.
“We’re excited about that,” she said. “A lot of people ask for it. A lot of users want the knowledge, which we’ll continue building and release University-wide eventually.”
GRC becomes involved in risk assessment as a tollgate in the project management lifecycle, but they encourage anyone in the U community who manages a system or application they suspect needs a risk assessment to reach out. See "When should you contact GRC?" at right for more information.
"I like working and talking with people," Matthes said. "You think, information systems, but there’s a person behind that system that we enjoy interacting and engaging with."
Definitions of risk, aka "anything that can go wrong"
Risk: The likelihood of a threat agent taking advantage of a vulnerability resulting in a loss.
Inherent risk: The likelihood/impact of loss arising out of circumstances or existing in an environment, IT resource, or information system in the absence of corrective actions.
Residual risk: The risk of an IT resource that remains after controls or other mitigating factors have been implemented.
Source: Modified from Information Security Policy 4-004
Risk and compliance objectives
- Assess technology risk
- Document risk exposure and corrective action
- Communicate risk to IT leadership
- Maintain info security policy/rules
- Security awareness and training
- Make sure the organization is prepared to demonstrate to regulators how it's meeting regulatory requirements
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry (PCI)
- Personally Identifiable Information (PII) state privacy laws
- Family Educational Rights and Privacy Act (FERPA)
- Federal Information Security Management Act (FISMA)
- Others: American Disabilities Act (ADA), Digital Millennium Copyright Act (DMCA), Gramm-Leach-Bliley Act (GLBA), etc.
When should you contact GRC?
- You're implementing a new information system
- You manage an information system housing confidential information which hasn’t been assessed by ISO
- You have a question about security policy requirements or how a specific data type should be handled
- You're working with a vendor who has access to or is hosting University data
- You're planning to move confidential data from one location to another
- Group email: ISO-GRC@utah.edu
- ServiceNow queue: UIT-ISO-Governance, Risk & Compliance
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.